If you are a Small Business customer, find additional troubleshooting and learning resources at the Support for Small Business site.

On August 18, 2003, the Microsoft Product Support Services Security Team issued an alert to inform customers about a new worm. A worm is a type of computer virus that generally spreads without user action and that distributes complete copies (possibly modified) of itself across networks (such as the Internet). Generally known as "Nachi," this new worm exploits the vulnerabilities that were addressed by Microsoft Security Bulletins MS03-026 (823980) and MS03-007 (815021) to spread itself over networks by using open Remote Procedure Call (RPC) ports or the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol that is supported by Internet Information Server (IIS) 5.0.

This article contains information for network administrators and IT professionals about how to prevent and how to recover from an infection from the Nachi worm. The Nachi worm is also known as W32/Nachi.worm (Network Associates), Lovsan.D (F-Secure), WORM_MSBLAST.D (Trend Micro), and W32.Welchia.Worm (Symantec).

Computers that are running any of the products that are listed at the beginning of this article are vulnerable if both the 823980 (MS03-026) and 815021 (MS03-007) security patches were not installed before August 18, 2003 (the date that this worm was discovered).

Note It has not been confirmed that any current versions of this worm have infected computers that are running Windows Server 2003 or Windows NT 4.0.

For additional information about recovering from this worm, contact your antivirus software vendor.
For additional information about antivirus software vendors, click the following article number to view the article in the Microsoft Knowledge Base:

Symptoms of Infection

If your computer is infected with this worm, you may experience the same symptoms that are documented in Microsoft Knowledge Base article 826955 for the Blaster worm and its variants.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Additionally, the Dllhost.exe file or the Svchost.exe file may exist in your %windir%\System32\Wins folder.

Note Dllhost.exe or Svchost.exe are valid Windows files, but they are located in the %windir%\System32 folder, not in the %windir%\System32\Wins folder. Additionally, the Svchost.exe file that this worm copies to the %windir%\System32\Wins folder is a copy of the Windows Tftpd.exe file. The Dllhost.exe file that this worm copies to the %windir%\System32\Wins folder is a copy of the virus. The virus version of the file typically has a file size over 10,000 bytes. The valid Windows Dllhost.exe file has a file size of 5,632 bytes (Windows Server 2003), 4,608 bytes (Windows XP), or 5,904 bytes (Windows 2000).

Technical Details

Similar to the Blaster worm and its variants, this worm also exploits the vulnerability that is addressed in Microsoft Security Bulletin MS03-026. The worm instructs target computers to download a copy of the worm from an affected system by using the TFTP program.

In addition to exploiting the RPC vulnerability that is addressed in Microsoft Security Bulletin MS03-026, this worm also spreads itself by using the previously addressed vulnerability in Microsoft Security Bulletin MS03-007. This exploit is directed at IIS 5.0 over port 80.

Upon successful infection, this worm improperly installs the 823980 (MS03-026) security patch on infected computers by first determining the operating system and then downloading the associated security patch for that operating system. The improper installation of the files and registry settings that are associated with the 823980 (MS03-026) security patch may leave infected computers vulnerable to the issues that are documented in Microsoft Security Bulletin MS03-026 and may cause problems when you try to install the Microsoft version of the 823980 (MS03-026) security patch. The following symptoms may indicate that the 823980 (MS03-026) security patch was installed by the Nachi worm:

There is no entry for the 823980 (MS03-026) security patch in Add or Remove Programs tool. For example, Windows XP Hotfix - KB823980 does not appear in the Add or Remove Programs list. This problem remains even after you install the Microsoft version of the 823980 (MS03-026) security patch. This problem occurs because the worm installs the 823980 (MS03-026) security patch in "no archive" mode. An administrator can install the 823980 (MS03-026) security patch in "no archive" mode by using the /n switch.

To enable the ICF in Windows XP or Windows Server 2003, follow these steps:

Click Start, and then click Control Panel.

In Control Panel, double-click Networking and Internet Connections, and then click Network Connections.

Right-click the connection where you want to enable ICF, and then click Properties.

Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.

Note Some dial-up connections may not appear in the Network Connection folders. For example, AOL and MSN dial-up connections may not appear. Sometimes, you can use the following procedure to enable ICF for a connection that does not appear in the Network Connection folder. If these steps do not work, contact your Internet service provider (ISP) for information about how to firewall your Internet connection.

Start Internet Explorer.

On the Tools menu, click Internet Options.

Click the Connections tab, click the dial-up connection that you use to connect to the Internet, and then click Settings.

In the Dial-up settings area, click Properties.

Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.

For additional information about how to enable Internet Connection Firewall in Windows XP or in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

Note ICF is only available in Windows XP, in Windows Server 2003, Standard Edition, and in Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer that is running both Routing and Remote Access and a member of the Windows Server 2003 family.

This worm uses two previously announced vulnerabilities as part of its infection method. Because of this, you must make sure that you have installed both the 823980 and 815021 security patches on all your computers to address the vulnerability that is identified in Microsoft Security Bulletins MS03-026 and MS03-007. The 824146 security patch replaces the 823980 security patch. Microsoft recommends that you install the 824146 security patch. This patch also includes the fixes for the issues that are addressed in Microsoft Security Bulletin MS03-026 (823980).
For additional information about the 824146 security patch, click the following article number to view the article in the Microsoft Knowledge Base:

A buffer overrun in RPCSS could allow an attacker to run malicious programs

For additional information about the 823980 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

For additional information about the 815021 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

Use the latest virus-detection signature from your antivirus vendor to detect new viruses and their variants.

Recovery

Best practices for security suggest that you perform a complete "clean" installation on a previously compromised computer to remove any undiscovered exploits that can lead to a future compromise. For additional information, visit the following CERT Coordination Center (CERT/CC) Advisory Web site:

However, many antivirus companies provide tools to remove the known exploit that is associated with this particular worm. To download the removal tool from your antivirus vendor, use one of the following procedures, depending on your operating system.

In Control Panel, double-click Networking and Internet Connections, and then click Network
Connections.

Right-click the connection where you want to enable ICF, and then click Properties.

Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.

Notes

If your computer shuts down or restarts repeatedly when you try to follow these steps, disconnect from the Internet before you enable your firewall. If you connect to the Internet over a broadband connection, locate the cable that runs from your external DSL modem or cable modem, and then unplug that cable either from the modem or from the telephone jack. If you use a dial-up connection, locate the telephone cable that runs from the modem that is inside your computer to your telephone jack, and then unplug that cable either from the telephone jack or from your computer. If you cannot disconnect from the Internet, use the following command to configure RPCSS to not restart your computer when the service fails:

sc failure rpcss reset= 0 actions= restart

To reset RPCSS to the default recovery setting after you complete these steps, use the following command:

sc failure rpcss reset= 0 actions= reboot/60000

If you have more than one computer that share an Internet connection, use a firewall only on the computer that is directly connected to the Internet. Do not use a firewall on the other computers that share the Internet connection. If you are running Windows XP, use the Network Setup Wizard to enable ICF.

Using a firewall should not affect your e-mail service or Web browsing, but a firewall can disable some Internet software, services, or features. If this behavior occurs, you may have to open some ports on your firewall for some Internet feature to work. To determine which ports you must open, see the documentation that is included with the Internet service that is not working. To determine how to open these ports, see the documentation that is included with your firewall.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

How to manually open ports in Internet Connection Firewall in Windows XP

Sometimes, you can use the following procedure to enable ICF for a connection that does not appear in the Network Connections folder. If these steps do not work, contact your Internet service provider (ISP) for information about how to firewall your Internet connection.

Start Internet Explorer.

On the Tools menu, click Internet Options.

Click the Connections tab, click the dial-up connection that you use to connect to the Internet, and then click Settings.

In the Dial-up settings area, click Properties.

Click the Advanced tab, and then click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box.

For additional information about how to enable ICF in Windows XP or in Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

Note ICF is only available in Windows XP, in Windows Server 2003, Standard Edition, and in Windows Server 2003, Enterprise Edition. Basic Firewall is a component of Routing and Remote Access that you can enable for any public interface on a computer that is running Routing and Remote Access and that is a member of the Windows Server 2003 family.

Download and install both the 824146 and the 815021 security patches on all your computers to address the vulnerability that is identified in Microsoft Security Bulletins MS03-039, MS03-026, and MS03-007.
For additional information about the 824146 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

A buffer overrun in RPCSS could allow an attacker to run malicious programs

For additional information about the 823980 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

For additional information about the 815021 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

Install or update your antivirus signature software, and then run a complete system scan.

Download and then run the worm-removal tool from your antivirus vendor.

Recovery for Windows 2000 and Windows NT 4.0

The Internet Connection Firewall feature is not available in Windows 2000 or Windows NT 4.0. If Microsoft Internet Security and Acceleration (ISA) Server 2000 or a third-party firewall is not available to block TCP ports 135, 139, 445 and 593; UDP ports 69 (TFTP), 135, 137, and 138; and TCP port 80, follow these steps to help block the affected ports for local area network (LAN) connections. TCP/IP Filtering is not available for dial-up connections. If you are using a dial-up connection to connect to the Internet, you should enable a firewall.

Configure TCP/IP security. To do this, use the procedure for your operating system.

Windows 2000

In Control Panel, double-click Network and Dial-up Connections.

Right-click the interface that you use to access the Internet, and then click Properties.

In the Components checked are used by this connection box, click Internet Protocol (TCP/IP), and then click Properties.

If your computer shuts down or restarts repeatedly when you try to follow these steps, disconnect from the Internet before you enable your firewall. If you connect to the Internet over a broadband connection, locate the cable that runs from your external DSL or cable modem, and then unplug that cable either from the modem or from the telephone jack. If you use a dial-up connection, locate the telephone cable that runs from the modem that is inside your computer to your telephone jack, and then unplug that cable either from the telephone jack or from your computer.

If you have more than one computer that share an Internet connection, use a firewall only on the computer that is directly connected to the Internet. Do not use a firewall on the other computers that share the Internet connection.

Using a firewall should not affect your e-mail service or Web browsing, but a firewall can disable some Internet software, services, or features. If this behavior occurs, you may have to open some ports on your firewall for some Internet feature to work. To determine which ports you must open, see the documentation that is included with the Internet service that is not working. To determine how to open these ports, see the documentation that is included with your firewall.

These steps are based on a modified excerpt from Microsoft Knowledge Base article 309798.
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

Click to select the Enable Security check box, and then click Configure.

In the TCP Ports column, the UDP Ports column, and the IP Protocols column, click to select the Permit only setting.

Click OK, and then close the Network tool.

Download and install both the 824146 and the 815021 security patches on all your computers to address the vulnerability that is identified in Microsoft Security Bulletins MS03-039, MS03-026, and MS03-007. The 824146 security patch replaces the 823980 security patch. Microsoft recommends that you install the 824146 security patch. This patch also includes fixes for the issues that are addressed in Microsoft Security Bulletin MS03-026 (823980).
For additional information about the 824146 security patch, click the following article number to view the article in the Microsoft Knowledge Base:

A buffer overrun in RPCSS could allow an attacker to run malicious programs

For additional information about the 823980 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base:

For additional information about the 815021 security patch and any prerequisites (such as a service pack for your version of Windows), click the following article number to view the article in the Microsoft Knowledge Base: